I attempted to implement this in my Azure environment. I added a 3rd tag as we are looking to audit 3 tags in particular. I set the scope to a specific Resource Group which has two storage account resources "testresource1" and "testresource2". One of the resources does not have all three tags along with it having a completely different tag. And one has the required 3 tags.
However, no matter what I do they always show up as Compliant for both. I cannot get it to show Non-Complaint even though it clearly has the incorrect tags. I've looked over spelling and syntax mistakes in the definition along with the spelling of the tags.
Here is the defintion:
{
"properties": {
"displayName": "Audit Required Tags on Resources",
"policyType": "Custom",
"mode": "Indexed",
"description": "Enforces existence of a tag. Does not apply to resource groups.",
"metadata": {
"category": "Tags",
},
"parameters": {
"tagName1": {
"type": "String",
"metadata": {
"displayName": "Tag Name 1",
"description": "Name of first tag, such as 'Application'"
}
},
"tagName2": {
"type": "String",
"metadata": {
"displayName": "Tag Name 2",
"description": "Name of second tag, such as 'Business Unit'"
}
},
"tagName3": {
"type": "String",
"metadata": {
"displayName": "Tag Name 3",
"description": "Name of third tag tag, such as 'Environment'"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "[concat('tags[', parameters('tagName1'), ']')]",
"exists": "false"
},
{
"field": "[concat('tags[', parameters('tagName2'), ']')]",
"exists": "false"
},
{
"field": "[concat('tags[', parameters('tagName3'), ']')]",
"exists": "false"
}
]
},
"then": {
"effect": "audit"
}
}
},
}
Microsoft
